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The relation between Ising spin systems and public- 
key cryptography is investigated using methods of statistical 
physics. The insight gained from the analysis is used for de- 
vising a matrix-based cryptosystem whereby the ciphertext 
comprises products of the original message bits; these are se- 
lected by employing two predetermined randomly-constructed 
sparse matrices. The ciphertext is decrypted using methods 
of belief-propagation. The analyzed properties of the sug- 
gested cryptosystem show robustness against various attacks 
and competitive performance to modern cyptographical meth- 
ods. 
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Public-key cryptography plays an important role in 
many aspects of modern information transmission, for in- 
stance, in the areas of electronic commerce and internet- 
based communication. It enables the service provider to 
distribute a public key which may be used to encrypt 
messages in a manner that can only be decrypted by the 
service provider. The on-going search for safer and more 
efficient cryptosystems produced many useful methods 
over the years such as RSA (by Rivest, Shamir and Adle- 
man), elliptic curves, and the McEliece cryptosystem to 
name but a few. 

In this Letter, we employ methods of statistical physics 
to study a specific cryptosystem, somewhat similar to the 
one presented by McEliece |l|. These methods enable 
one to study the typical performance of the suggested 
cryptosystem, to assess its robustness against attacks and 
to select optimal parameters. 

The main motivation for the suggested cryptosys- 
tem comes from previous studies of Gallager-type error- 
correcting codes [||-|[ and their physical properties ||U • 
The analysis exposes a significantly different behaviour 
for the two-matrix based codes (such as the MN code 
j|) and single-matrix codes (J], which may be exploited 
for constructing an efficient cryptosystem. 

In the suggested cryptosystem, a plaintext represented 
by an N dimensional Boolean vector £ G (0, l) N is en- 
crypted to the M dimensional Boolean ciphertext J us- 
ing a predetermined Boolean matrix G, of dimensionality 
M x N, and a corrupting M dimensional vector £, whose 
elements are 1 with probability p and otherwise, in the 
following manner 



vector £ is chosen at the transmitting end. The matrix 
G, which is at the heart of the encryption/decryption 
process is constructed by choosing two randomly-selected 
sparse matrices A and B of dimensionality M x N and 
MxM respectively, defining 

G = B- 1 A (mod 2) . 

The matrices A and B are generally characterised by K 
and L non-zero unit elements per row and G and L per 
column respectively; all other elements are set to zero. 
The finite, usually small, numbers K, C and L define a 
particular cryptosystem; both matrices are known only 
to the authorised receiver. Suitable choices of probability 
p will depend on the maximal achievable rate for the 
particular cryptosystem as discussed below. 

The authorised user may decrypt the received cipher- 
text J by taking the (mod 2) product BJ = A^ + BQ. 
Solving the equation 



AS + Bt = A£ + BC (mod 2), 



(2) 



J=G£ +C 



(1) 



where all operations are (mod 2). The matrix G and the 
probability p constitute the public key; the corrupting 



is generally computationally hard. However, decryption 
can be carried out for particular choices of K and L 
via the iterative methods of Belief Propagation (BP) ||, 
where pseudo-posterior probabilities for the decrypted 
message bits, P(Si = 1| J) 1 < i < A~ (and similarly for 
r), are calculated by solving iteratively a set of coupled 
equations for the conditional probabilities of the cipher- 
text bits given the plaintext and vice versa. For details 
of the method used and the explicit equations see || . 

The unauthorised receiver, on the other hand, faces 
the task of decrypting the ciphertext J knowing only G 
and p. The straightforward attempt to try all possible C 
constructions is clearly doomed, provided that p is not 
vanishingly small, giving rise to only a few corrupted bits; 
decomposing G to the matrices A and B is known to be 
a computationally hard problem j?j , even if the values of 
K, G and L are known. Another approach to study the 
problem is to exploit the similarity between the task at 
hand and the error-correcting model suggested by Sourlas 
H , which we will discuss below. 

The treatment so far was completely general. We will 
now make use of insight gained from our analysis of 
Gallager-type || and Sourlas |J error-correcting codes 
to suggest a specific cyptosystem construction and to as- 
sess its performance and capabilities. The method used 
in both analyses |^J^] is based on mapping the problem 
onto an Ising spin system Hamiltonian, in the manner 
discovered by Sourlas |Q, which enables one to analyse 
typical properties of such systems. 
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To facilitate the mapping we employ binary represen- 
tations (±1) of the dynamical variables S and r, the 
vectors J, C and and the matrices A, B and G, rather 
than the Boolean (0,1) ones. 

The binary ciphertext J is generated by taking 
products of the relevant binary plaintext message bits 

J(h,i 2 ...) = ■ ■■C{ii,i 3 ...)> where the indices h,i 2 ■ ■ ■ 

correspond to the non-zero elements of B~ 1 A, and 
C(ti,t2---> i s the corresponding clement of the corrupting 
vector (the indices ■ . .) corresponds to the specific 

choice made for each ciphertext bit). As we use statis- 
tical mechanics techniques, we consider both plaintext 
(N) and ciphertext (M) dimensionalities to be infinite, 
keeping the ratio between them N/M finite. Using the 
thermodynamic limit is quite natural here as most trans- 
mitted ciphertexts are long and finite size corrections are 
likely to be small. 

An authorised user may use the matrix B to obtain 
Eq.(||). To explore the system's capabilities one examines 
the Gibbs distribution, based on the Hamiltonian 
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The tensor product T><i u „,i K ;j u „,j Ij >J<i 1 ,..,i K ;j 1 ,..,j L >, 
where J. . = ^i 2 -4i K CjiCh-CjL, is the binary 

equivalent of A£ + B£, treating both signal (S and in- 
dex i) and the corrupting noise vector (r and index j) 
simultaneously. Elements of the sparse connectivity ten- 
sor P<i I) . j£> take the value 1 if the corresponding in- 
dices of both signal and noise are chosen (i.e., if all cor- 
responding elements of the matrices A and B are 1) and 
otherwise; it has G unit elements per i-index and L per 
j-index, representing the system's degree of connectivity. 
The 8 function provides 1 if the selected sites' product 
Si 1 ..Si K Tj 1 ..Tj L is in disagreement with the corresponding 
element J7<i 1 ..j i >, recording an error, and otherwise. 
Notice that this term is not frustrated, and can therefore 
vanish at sufficiently low temperatures (T = 1//3 — ► 0) , im- 
posing the restriction of Eq.(||), while the last two terms, 
scaled with /3, survive. The additive fields F s and F T are 
introduced to represent our prior knowledge on the signal 
and noise distributions, respectively. 

The random selection of elements in T> introduces dis- 
order to the system which is treated via methods of statis- 
tical physics. More specifically, we calculate the partition 
function Z(T>, J) = Tr^ T j exp[— fiTi], which is then av- 
eraged over the disorder and the statistical properties of 
the plaintext and noise, using the replica method 
to obtain the related free energy T = — (In Z)^.^^. The 
overlap between the plaintext and the dynamical vector 
jt YliLi &&i will serve as a measure for the decryp- 



Studying this free energy for the case of K=L=2 and in 
the context of error-correcting codes |J , indicates the ex- 
istence of paramagnetic and ferromagnetic solutions de- 
picted in the inset of Fig.l. For corruption probabilities 
p>p s one obtains either a dominant paramagnetic solu- 
tion or a mixture of ferromagnetic (m=±l) and param- 
agnetic (m = 0) solutions as shown in the inset; thin and 
thick lines correspond to higher and lower free energies 
respectively, dashed lines represent unstable solutions. 
Lines between the m = ±1 and m = axes correspond 
to sub-optimal ferromagnetic solutions. Reliable decryp- 
tion may only be obtained for p<p s , which corresponds 
to a spinodal point, where a unique ferromagnetic solu- 
tion emerges at m — 1 (plus a mirror solution at m=— 1). 

The most striking result is the division of the complete 
space of S and r values to two basins of attraction for the 
ferromagnetic solutions, for p < p s , implying convergence 
from any initialisation of the BP equations. Critical cor- 
ruption rate values for M/N = 2 were obtained from the 
analysis and via BP solutions as shown in Fig.l, in com- 
parison to the rate obtainable from Shannon's channel 
capacity |j] (solid line) . The priors assumed for both the 
plaintext (unbiased in this case, F s = 0) and the cor- 
rupting vector (F T — (l/2)ln[(l — p)/p\) correspond to 
Nishimori's condition ]Tl| , which is equivalent to having 
the correct prior within the Bayesian framework [ fl2| 

The initial conditions for the BP-based decryption 
were chosen almost at random, with a very slight bias 
of 0(1O -12 ) in the initial magnetisation, corresponding 
to typical statistical fluctuation for a system size of 10 24 . 
Cryptosystems with other K and L values, e.g., K,L > 3, 
seem to offer optimal performance in terms of the cor- 
ruption rate they accommodate theoretically, but suffer 
from a decreasingly small basin of attraction as K and 
L increase. The co-existence of stable ferromagnetic and 
paramagnetic solutions implies that the system will con- 
verge to the undesired paramagnetic solution ]j| from 
most initial conditions which are typically of close-to-zero 
magnetisation. It may still be possible to use successfully 
specific matrices with higher K and L values (such as in 
pU); however, these cannot be justified theoretically and 
there is no clear adventage in using them. 

To conclude, for the authorised user, the K=L=2 cryp- 
tosystem offers a guaranteed convergence to the plaintext 
solution, in the thermodynamic limit N — > oo, as long as 
the corruption process has a probability below p s . The 
main consequence of finite plaintexts would be a decrease 
in the allowed corruption rate with little impact on the 
decoding success. 

The task facing the unauthorised user, i.e., finding the 
plaintext from Eq. (Q) was investigated via similar meth- 
ods by considering the Hamiltonian 
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using Nishimori's temperature (3 = (l/2)ln[(l —p)/p]. 
The number of plaintext bits in each product is denoted 
K' , S is the N dimensional binary vector of dynamical 
variables and Q is a dense tensor with C unit elements 
per index (setting the rest of the elements to zero) and is 
the binary equivalent of the Boolean matrix G The 
latter, together with the statistical properties of the cor- 
rupting vector £ constitutes the public key used to de- 
termine the ciphertext J. The last term on the right is 
required in the case of sparse or biased messages and will 
require assigning a certain value to the additive field F s . 

The matrix G generated in the case of K = L = 2 is 
dense and has a certain distribution of unit elements per 
row. The fraction of rows with a low (finite, not of O(N)) 
number of unit elements vanishes as TV increases, allowing 
one to approximate this scenario by the diluted Random 
Energy Model fo| studied in § where K', C -> oo while 
keeping the ratio C /K' finite. 

To investigate the typical properties of this (frustrated) 
model, we calculate again the partition function and the 
free energy by averaging over the randomness in choos- 
ing the plaintext, the corrupting vector and the choice 
of the random matrix G (being generated by a product 
of two sparse random matrices). To assess the likeli- 
hood of obtaining spin-glass/ferromagnetic solutions, we 
calculated the free energy landscape (per plaintext bit - 
/) as a function of overlap m. This can be carried out 
straightforwardly using the analysis of J5|, and provides 
the energy landscape shown in Fig. 2. This has the struc- 
ture of a golf-course with a relatively flat area around the 
one-step replica symmetry breaking (frozen) spin-glass 
solution and a very deep but extremely narrow area, of 
0(1/N), around the ferromagnetic solution. To validate 
the use of the random energy model we also added nu- 
merical data (+, with error-bars), obtained by BP, which 
are consistent with the theoretical results. 

This free-energy landscape may be related directly to 
the marginal posterior P(Si = 1\J) 1 < i < N and is 
therefore indicative of the difficulties in obtaining ferro- 
magnetic solutions when the starting point for the search 
is not infinitesimally close to the original plaintext (which 
is clearly highly unlikely). It is plausible that any local 
search method, starting at some distance from the ferro- 
magnetic solution, will fail to produce the original plain- 
text. Similarly, any probabilistic method, such as simu- 
lated annealing, will require an exponentially long time 
for converging to the m = 1 solution. Numerical studies 
of similar energy landscapes show that the time required 
increases exponentially with the system size [ fL4| . 

Most attacks on this cryptosystems, by an unautho- 
rised user, will face the same difficulty: without explicit 
knowledge of the current plaintext and/or the decomposi- 
tion of G to the matrices A and B it will require an expo- 
nentially long time to decipher a specific ciphertext. Par- 
tial or complete knowledge of the ciphertext / plaintext as 
well as partial knowledge of the matrix B (while O(N) 



of the elements remain unknown) will not be helpful for 
decomposing G which will still require an exponentially 
long time to carry out. 

We will consider here two attacks on specific plain- 
texts with partial knowledge of the corrupting vector £ 
or of the matrix B. In the first case, knowing p a M of 
the pM corrupting bits may allow one to subtract the 
approximated vector £ from the ciphertext and take the 
product of G _1 and the resulting ciphertext. This attack 
is similar to the task facing an unauthorised user with a 
reduced corruption rate of (p—p a ) ■ For any non- vanishing 
difference between p a and p, deciphering the transmitted 
message remains a difficult task. 

A second attack is that whereby the matrix B is known 
to some degree; for instance, the location of a fraction of 
the unit elements, say I — p is known. From Eq.(|2|) one 
can identify the absent information as having a higher ef- 
fective corruption level of p+g{p), where g(-) is some non- 
trivial function that depends on the actual scenario. To 
secure the transmission one may work sufficiently close 
to the critical corruption level p s such that the additional 
effective noise p will bring the system beyond the criti- 
cal corruption rate and into the paramagnetic/spin-glass 
regime. However, the drawbacks of working very close to 
p s are twofold: Firstly, average decryption times using 
BP methods (r) will diverge proportionally to l/(p s — p) 
as demonstrated in the inset of Fig. 2. Secondly, finite- 
size effects are expected to be larger close to p s , which 
practically means that the system may not converge to 
the attractive optimal solutions in some cases. 

We will end this presentation with a short discussion on 
the advantages and drawbacks of the suggested method 
in comparison with existing techniques. Firstly, we would 
like to point out the differences between this method 
and the McEliece cryptosystem. The latter is based on 
Goppa codes and is limited to relative low corruption 
levels. These may allow for decrypting the ciphertext 
using (many) estimates of the corruption vector. Our 
suggestion allows for a significant corruption level, thus 
increasing the security of the cryptosystem. In addition, 
the suggested construction, K = L = 2, is not discussed 
in the information theory literature (e.g. in ||) which 
typically prefers higher K, L value systems. Secondly, 
in comparison to RSA where decryption takes 0(N 3 ) 
operations, our method only requires O(N) operations, 
multiplied by the number of BP iterations (which is typ- 
ically smaller than 100 for most system sizes examined 
except very close p s ). Encryption costs are of 0(N 2 ) (as 
in RSA) while the inversion of the matrix B is carried 
out only once and requires 0(N 3 ) operations. 

The two obvious drawbacks of our method are: 1) The 
transmission of the public key, which is a dense matrix 
of dimensionality M x N . However, as public key trans- 
mission is carried out only once for each user we do not 
expect it to be of great significance. 2) The ciphertext 
to plaintext bit ratio is greater than one to allow for cor- 
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ruption, in contrast to RSA where it equals 1. Choosing 
the N/M ratio is in the hands of the user and is directly 
related to the security level required; we therefore do not 
expect it to be problematic as the increased transmission 
time is compensated by a very fast decryption. 

We examine the typical performance of a new cryp- 
tosystem, based on insight gained from our previous stud- 
ies, by mapping it onto an Ising spin system; this com- 
plements the information theory approach which focuses 
on rigorous worst-case bounds. We show that autho- 
rised decryption is fast and simple while unauthorised 
decryption requires a prohibitively long time. Important 
aspects that arc yet to be investigated include finite size 
effects and methods for alleviating the drawbacks of the 
new method. 
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FIG. 1. Critical transmission rate as a function of the cor- 
ruption rate p for an unbiased ciphertext. Numerical solutions 
(of the analytically obtained equations - O) and BP iterative 
solutions (of system size N — 10 4 , +), were averaged over 10 
different initial conditions of almost zero magnetisation with 
error bars much smaller than the symbol size. Inset: The fer- 
romagnetic (F) (optimal/sub-optimal) and paramagnetic (P) 
solutions as functions of p; thick and thin lines denote stable 
solutions of lower and higher free energies respectively, dashed 
lines correspond to unstable solutions. 
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FIG. 2. The free energy landscape as a function of m for 
the transmission rate N/M = 1/2 and flip rate p — 0.08; 
theoretical values are represented by the solid line, numerical 
data, obtained by BP (N — 200) and averaged over 10 differ- 
ent initial conditions, are represented by symbols (+). The 
landscape is deep and narrow (of width 0(1/ N)) atm—l and 
rather flat elsewhere. Inset - scattered plot of mean decryp- 
tion times - r. The optimal fitting of straight lines through 
the data provides another indication for the divergence of de- 
cryption time for corruption rate close to p s = 0.953 ± 5 (in 
this example). 
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